Its European Cyber Security Month and this October we are looking at the pervasive but little known issue of data exposure. With cyber attacks and malware becoming increasingly sophisticated, keeping data secure is a real challenge. Sometimes, though, businesses make it just too easy for those looking to get past their defences. Take data exposure for instance.
While it’s usually data breaches that make the headlines, data exposure can deliver as much damage to a business’s reputation and its bottom line. Even without evidence that exposed data has been improperly accessed – a frequent line from affected organisations – the risks of regulatory action and law suits remain.
Data exposures occur when data is inadequately protected and stored so that it can be easily accessed online – sometimes even by accident. While data breaches require an attacked or at least malware to target the business, data exposure does not.
That means everyone’s at risk, and all that’s required for a data exposure to cause big problems for a business is that someone finds out. Often organisations do not know that they have had a data exposure and that their commercially sensitive information is be up for sale to competitors. You don’t want a phone call from the National Crime Agency about your data being breached weeks, months or even years ago to be the only way to even know about it.
Un-encrypted, unprotected
The highest-profile recent example is Exactis. In June it was revealed to have been storing a database of personal information with 340 million records on a publicly accessible server. Unprotected by any firewall, it was accessible to anyone who knew where to look. The data included a huge range of details on individuals’ habits, tastes and interests, leaving those included in it vulnerable to social engineering attacks. It was, as one expert told Wired, which broke the story, “one of the most comprehensive collections” he had ever seen.
Not surprising for the US, the first class action law suit against the Exactis has already been filed. That’s despite there being no evidence as yet that any criminals have actually accessed the data. In Britain and Europe, meanwhile, the regulatory consequences since the implementation of GDPR could be just that or even more serious.
The Exactis leak may be the biggest of recent times – affecting as many as half of all Americans – but it’s far from the only one. Facebook’s recent security breach where almost 50 million user details were left exposed by a security flaw was just as high profile if not more so. And earlier in the year, Twitter admitted it had stored users’ passwords, in plaintext on an internal system – a bug meant they were recorded unprotected before encryption with technology that masks the password so no one at the company – or outside – can see it.
Again, the company said there was no evidence anyone had accessed the file. But it still advised users to change their password.
Not simply about cloud security
Part of the problem with data exposure is that – unlike with a breach – there won’t necessarily be anything to alert you to a problem. If data is stored insecurely, unencrypted or simply in the wrong place, a data exposure results, without any further trigger. There’s no network attack, phishing email or malware to detect.
As a result, data exposures can remain for long periods unless picked up by chance or thorough an audit. Last November, for instance, Australia’s Department of Social Services had to notify thousands of current and former employees that their personal and financial data had been left exposed from June 2016 until October 2017.
While there may be no activity to alert the business to the exposure, however, that does not mean data exposures are difficult to find for those that want to: The Exactis data was discovered by a security researcher examining the security of ElasticSearch databases, which are widely used. He used the search tool Shodan – which scans for internet-connected devices – to rapidly identify thousands of them. It is certain that criminals are doing the same with less benevolent intentions.
There’s also a number of ways that data exposures can come about. Frequently in recent cases it’s been down to the growing prevalence of Cloud technologies. That was the case in the Exactis exposure, as it was with Salesforce, which recently revealed that users of its Cloud products may have been affected by a glitch that saw their data copied to other users’ systems. As teething problems are overcome, some of these problems will be resolved.
However, data exposure is just as likely to be down to bugs in software installed locally or improper configuration of systems. That means there is a number of ways things can go wrong.
Making data breaches worse
Finally, and related to this, there’s another problem with tackling data exposure: That there are no clear lines when considering data exposure and breaches. Sometimes the exposure will only come to light as a result of a breach: Data may be protected by a firewall, but not encrypted as it should be, as in the case of Telefonica. A month after the Exactis story broke, the Spanish telecoms operators admitted that millions of customers’ personal data had been exposed.
“Surprisingly, the Telefonica customer data was easily downloadable as an unencrypted spreadsheet,” remarked one security expert.
This combination of data breach and exposure has practical and serious implications: With the data encrypted, a breach such as Telefonica’s would not require reporting under GDPR, since the data would be unusable. Without encryption, it had to be – and could result in a fine from the data protection authorities.
The scale of the cyber security challenge mean that regulators may have some sympathy for businesses that are breached as a result of determined hackers. That sympathy is likely to disappear fast if businesses don’t use appropriate tools to safeguard customers in event of a breach, however.
Covering yourself: How to protect against data exposure
The best way to avoid problems from data exposure is – obviously – to avoid them in the first place. As this piece makes clear, looking at your databases is a good place to start. Many recent exposures have concerned open-source “NoSQL” databases, which includes the MongoDB database program. Again, failure to secure these databases doesn’t just lead to data exposures – including, in one memorable case, the details of all 94.3 million Mexican voters being made publicly available on an Amazon cloud server; it also presents easy pickings for cyber criminals, including ransomware attackers.
Shodan shows there are still tens of thousands of unprotected MongoDB databases.
The benefits of these databases in being quick to set up and scale up, spreading data across multiple servers, are significant. But they need to be properly configured to ensure that data is protected. Cloud services aren’t the only source of data exposure, but their nature means they’re designed to be accessed remotely; you need to control who is doing so.
Consequently, when setting up Cloud databases, take particular care:
• Make sure you are downloading the latest version of the software, and keep it updated and patched
• Don’t assume the default security settings are appropriate
• Restrict access to only those who genuinely need it
• Ensure appropriate passwords are in place
• Regularly review the settings and security around these databases to ensure they are still appropriate
• For sensitive data, take expert advice.
The other tip at the outset is that, whatever the protection around the database, for the company’s most valuable and sensitive data, it is wise to consider encryption: Given the increased risks in terms of penalties and the costs of notification under GDPR, it is usually a worthwhile investment.
Time for a data exposure audit
Finally, businesses also need to review their existing data, to pick up on historic mistakes. For any easily accessed, unprotected data the exposure will have already occurred, but the quicker you can identify and address it the better: It is much better to find it yourself and have some control about how it is announced than to let others do it for you.
You should also make sure you have in place a detailed response plan for any exposures identified: Much of it is likely to be the same as the response to data breaches.
As with general data protection, identifying and securing exposed data requires knowing what data you hold, and where it is stored. Preparations for GDPR should prove helpful here, as organisations should have a good grasp of the personally identifiable information they hold. Reviewing the protections and security around this is a good place to start, and will address much of the regulatory risk around data exposures. Bear in mind, though, that it’s not the only data you will want to restrict access to: Commercially sensitive information, intellectual property and data on business partners will also need protecting – just as it would against breaches.
In fact, none of this should really be new: The steps to avoiding data exposures are similar to those of mitigating against data breaches – which is perhaps not surprising given the overlaps between the two. Businesses need to identify their valuable information, look at where it is kept and who has access, and ask if the controls and protections in place are appropriate. If you don’t ask these questions, then you should assume that, sooner or later, someone else will.